Best Practice (Good)
Set and enforce strict information barriers to regulate the flow of compliance-relevant, sensitive information between internal groups and third parties. Keep the transfer of such information to a minimum (“need to know” basis only). Establish a process that would take effect if a sensitive piece of information did need to cross the information barrier to ensure that it is disseminated only to relevant parties in a secure manner.
Typical Practice (Bad)
Train employees on what types of information are compliance-relevant and trust their judgment to transmit only this information on a “need to know” basis within their organizational area.
Benefits: Ensures that sensitive information is not transmitted to unauthorized parties, knowingly or unknowingly, and mitigates risk related to the information leakage. Also sets strict expectations on employees related to the safekeeping of sensitive information.